authentik/passbook/app_gw/middleware.py

"""passbook app_gw middleware"""
import mimetypes
from logging import getLogger
from random import SystemRandom
from urllib.parse import urlparse

import certifi
import urllib3
from django.core.cache import cache
from django.utils.http import urlencode
from django.views.generic import RedirectView
from revproxy.exceptions import InvalidUpstream

from passbook.app_gw.models import ApplicationGatewayProvider
from passbook.app_gw.proxy.response import get_django_response
from passbook.app_gw.proxy.utils import encode_items, normalize_request_headers
from passbook.app_gw.rewrite import Rewriter
from passbook.core.models import Application
from passbook.core.policies import PolicyEngine
from passbook.lib.config import CONFIG

SESSION_UPSTREAM_KEY = 'passbook_app_gw_upstream'
IGNORED_HOSTNAMES_KEY = 'passbook_app_gw_ignored'
LOGGER = getLogger(__name__)
QUOTE_SAFE = r'<.;>\(}*+|~=-$/_:^@)[{]&\'!,"`'
ERRORS_MESSAGES = {
    'upstream-no-scheme': ("Upstream URL scheme must be either "
                           "'http' or 'https' (%s).")
}

# pylint: disable=too-many-instance-attributes
class ApplicationGatewayMiddleware:
    """Check if request should be proxied or handeled normally"""

    ignored_hosts = []
    request = None
    app_gw = None
    http = None
    http_no_verify = None
    host_header = ''

    _parsed_url = None
    _request_headers = None

    def __init__(self, get_response):
        self.get_response = get_response
        self.ignored_hosts = cache.get(IGNORED_HOSTNAMES_KEY, [])
        self.http_no_verify = urllib3.PoolManager()
        self.http = urllib3.PoolManager(
            cert_reqs='CERT_REQUIRED',
            ca_certs=certifi.where())

    def precheck(self, request):
        """Check if a request should be proxied or forwarded to passbook"""
        # Check if hostname is in cached list of ignored hostnames
        # This saves us having to query the database on each request
        self.host_header = request.META.get('HTTP_HOST')
        if self.host_header in self.ignored_hosts:
            LOGGER.debug("%s is ignored", self.host_header)
            return True, None
        # Look through all ApplicationGatewayProviders and check hostnames
        matches = ApplicationGatewayProvider.objects.filter(
            server_name__contains=[self.host_header],
            enabled=True)
        if not matches.exists():
            # Mo matching Providers found, add host header to ignored list
            self.ignored_hosts.append(self.host_header)
            cache.set(IGNORED_HOSTNAMES_KEY, self.ignored_hosts)
            LOGGER.debug("Ignoring %s", self.host_header)
            return True, None
        # At this point we're certain there's a matching ApplicationGateway
        if len(matches) > 1:
            # This should never happen
            raise ValueError
        app_gw = matches.first()
        try:
            # Check if ApplicationGateway is associated with application
            getattr(app_gw, 'application')
            return False, app_gw
        except Application.DoesNotExist:
            LOGGER.debug("ApplicationGateway not associated with Application")
            return True, None
        return True, None

    def __call__(self, request):
        forward, self.app_gw = self.precheck(request)
        if forward:
            return self.get_response(request)
        self.request = request
        return self.dispatch(request)

    def _get_upstream(self):
        """Choose random upstream and save in session"""
        if SESSION_UPSTREAM_KEY not in self.request.session:
            self.request.session[SESSION_UPSTREAM_KEY] = {}
        if self.app_gw.pk not in self.request.session[SESSION_UPSTREAM_KEY]:
            upstream_index = SystemRandom().randrange(len(self.app_gw.upstream))
            self.request.session[SESSION_UPSTREAM_KEY][self.app_gw.pk] = upstream_index
        return self.app_gw.upstream[self.request.session[SESSION_UPSTREAM_KEY][self.app_gw.pk]]

    def get_upstream(self):
        """Get upstream as parsed url"""
        upstream = self._get_upstream()

        self._parsed_url = urlparse(upstream)

        if self._parsed_url.scheme not in ('http', 'https'):
            raise InvalidUpstream(ERRORS_MESSAGES['upstream-no-scheme'] %
                                  upstream)

        return upstream

    def _format_path_to_redirect(self, request):
        LOGGER.debug("Path before: %s", request.get_full_path())
        rewriter = Rewriter(self.app_gw, request)
        after = rewriter.build()
        LOGGER.debug("Path after: %s", after)
        return after

    def get_proxy_request_headers(self, request):
        """Get normalized headers for the upstream
        Gets all headers from the original request and normalizes them.
        Normalization occurs by removing the prefix ``HTTP_`` and
        replacing and ``_`` by ``-``. Example: ``HTTP_ACCEPT_ENCODING``
        becames ``Accept-Encoding``.
        .. versionadded:: 0.9.1
        :param request:  The original HTTPRequest instance
        :returns:  Normalized headers for the upstream
        """
        return normalize_request_headers(request)

    def get_request_headers(self):
        """Return request headers that will be sent to upstream.
        The header REMOTE_USER is set to the current user
        if AuthenticationMiddleware is enabled and
        the view's add_remote_user property is True.
        .. versionadded:: 0.9.8
        """
        request_headers = self.get_proxy_request_headers(self.request)
        request_headers[self.app_gw.authentication_header] = self.request.user.get_username()
        LOGGER.info("%s set", self.app_gw.authentication_header)

        return request_headers

    def check_permission(self):
        """Check if user is authenticated and has permission to access app"""
        if not hasattr(self.request, 'user'):
            return False
        if not self.request.user.is_authenticated:
            return False
        policy_engine = PolicyEngine(self.app_gw.application.policies.all())
        policy_engine.for_user(self.request.user).with_request(self.request).build()
        passing, _messages = policy_engine.result

        return passing

    def get_encoded_query_params(self):
        """Return encoded query params to be used in proxied request"""
        get_data = encode_items(self.request.GET.lists())
        return urlencode(get_data)

    def _created_proxy_response(self, request, path):
        request_payload = request.body

        LOGGER.debug("Request headers: %s", self._request_headers)

        request_url = self.get_upstream() + path
        LOGGER.debug("Request URL: %s", request_url)

        if request.GET:
            request_url += '?' + self.get_encoded_query_params()
            LOGGER.debug("Request URL: %s", request_url)

        http = self.http
        if not self.app_gw.upstream_ssl_verification:
            http = self.http_no_verify

        try:
            proxy_response = http.urlopen(request.method,
                                          request_url,
                                          redirect=False,
                                          retries=None,
                                          headers=self._request_headers,
                                          body=request_payload,
                                          decode_content=False,
                                          preload_content=False)
            LOGGER.debug("Proxy response header: %s",
                         proxy_response.getheaders())
        except urllib3.exceptions.HTTPError as error:
            LOGGER.exception(error)
            raise

        return proxy_response

    def _replace_host_on_redirect_location(self, request, proxy_response):
        location = proxy_response.headers.get('Location')
        if location:
            if request.is_secure():
                scheme = 'https://'
            else:
                scheme = 'http://'
            request_host = scheme + self.host_header

            upstream_host_http = 'http://' + self._parsed_url.netloc
            upstream_host_https = 'https://' + self._parsed_url.netloc

            location = location.replace(upstream_host_http, request_host)
            location = location.replace(upstream_host_https, request_host)
            proxy_response.headers['Location'] = location
            LOGGER.debug("Proxy response LOCATION: %s",
                         proxy_response.headers['Location'])

    def _set_content_type(self, request, proxy_response):
        content_type = proxy_response.headers.get('Content-Type')
        if not content_type:
            content_type = (mimetypes.guess_type(request.path)[0] or
                            self.app_gw.default_content_type)
            proxy_response.headers['Content-Type'] = content_type
            LOGGER.debug("Proxy response CONTENT-TYPE: %s",
                         proxy_response.headers['Content-Type'])

    def dispatch(self, request):
        """Build proxied request and pass to upstream"""
        if not self.check_permission():
            to_url = 'https://%s/?next=%s' % (CONFIG.get('domains')[0], request.get_full_path())
            return RedirectView.as_view(url=to_url)(request)

        self._request_headers = self.get_request_headers()

        path = self._format_path_to_redirect(request)
        proxy_response = self._created_proxy_response(request, path)

        self._replace_host_on_redirect_location(request, proxy_response)
        self._set_content_type(request, proxy_response)
        response = get_django_response(proxy_response, strict_cookies=False)

        LOGGER.debug("RESPONSE RETURNED: %s", response)
        return response
initial implementation of reverse proxy, using django-revproxy from within a middleware add new config entry "primary_domain" which is used to set the cookie domain 2019-03-20 21:42:47 +00:00			`"""passbook app_gw middleware"""`
			`import mimetypes`
			`from logging import getLogger`
Choose upstream more cleverly 2019-04-10 16:49:33 +00:00			`from random import SystemRandom`
initial implementation of reverse proxy, using django-revproxy from within a middleware add new config entry "primary_domain" which is used to set the cookie domain 2019-03-20 21:42:47 +00:00			`from urllib.parse import urlparse`

			`import certifi`
			`import urllib3`
			`from django.core.cache import cache`
			`from django.utils.http import urlencode`
prepare 0.1.27 2019-03-22 13:51:09 +00:00			`from django.views.generic import RedirectView`
initial implementation of reverse proxy, using django-revproxy from within a middleware add new config entry "primary_domain" which is used to set the cookie domain 2019-03-20 21:42:47 +00:00			`from revproxy.exceptions import InvalidUpstream`

			`from passbook.app_gw.models import ApplicationGatewayProvider`
Move code from django-revproxy to app_gw to fix cookie bug 2019-04-10 17:03:22 +00:00			`from passbook.app_gw.proxy.response import get_django_response`
			`from passbook.app_gw.proxy.utils import encode_items, normalize_request_headers`
implement actual Rewriting logic 2019-03-21 15:22:07 +00:00			`from passbook.app_gw.rewrite import Rewriter`
initial implementation of reverse proxy, using django-revproxy from within a middleware add new config entry "primary_domain" which is used to set the cookie domain 2019-03-20 21:42:47 +00:00			`from passbook.core.models import Application`
Check for policies in app_gw 2019-03-21 13:53:47 +00:00			`from passbook.core.policies import PolicyEngine`
prepare 0.1.27 2019-03-22 13:51:09 +00:00			`from passbook.lib.config import CONFIG`
initial implementation of reverse proxy, using django-revproxy from within a middleware add new config entry "primary_domain" which is used to set the cookie domain 2019-03-20 21:42:47 +00:00
Choose upstream more cleverly 2019-04-10 16:49:33 +00:00			`SESSION_UPSTREAM_KEY = 'passbook_app_gw_upstream'`
initial implementation of reverse proxy, using django-revproxy from within a middleware add new config entry "primary_domain" which is used to set the cookie domain 2019-03-20 21:42:47 +00:00			`IGNORED_HOSTNAMES_KEY = 'passbook_app_gw_ignored'`
			`LOGGER = getLogger(__name__)`
			QUOTE_SAFE = r'<.;>\(}*+\|~=-$/_:^@)[{]&\'!,"`'
			`ERRORS_MESSAGES = {`
			`'upstream-no-scheme': ("Upstream URL scheme must be either "`
			`"'http' or 'https' (%s).")`
			`}`

			`# pylint: disable=too-many-instance-attributes`
			`class ApplicationGatewayMiddleware:`
			`"""Check if request should be proxied or handeled normally"""`

			`ignored_hosts = []`
			`request = None`
			`app_gw = None`
			`http = None`
			`http_no_verify = None`
			`host_header = ''`

			`_parsed_url = None`
			`_request_headers = None`

			`def __init__(self, get_response):`
			`self.get_response = get_response`
			`self.ignored_hosts = cache.get(IGNORED_HOSTNAMES_KEY, [])`
			`self.http_no_verify = urllib3.PoolManager()`
			`self.http = urllib3.PoolManager(`
			`cert_reqs='CERT_REQUIRED',`
			`ca_certs=certifi.where())`

			`def precheck(self, request):`
			`"""Check if a request should be proxied or forwarded to passbook"""`
			`# Check if hostname is in cached list of ignored hostnames`
			`# This saves us having to query the database on each request`
			`self.host_header = request.META.get('HTTP_HOST')`
			`if self.host_header in self.ignored_hosts:`
			`LOGGER.debug("%s is ignored", self.host_header)`
			`return True, None`
			`# Look through all ApplicationGatewayProviders and check hostnames`
			`matches = ApplicationGatewayProvider.objects.filter(`
			`server_name__contains=[self.host_header],`
			`enabled=True)`
			`if not matches.exists():`
			`# Mo matching Providers found, add host header to ignored list`
			`self.ignored_hosts.append(self.host_header)`
			`cache.set(IGNORED_HOSTNAMES_KEY, self.ignored_hosts)`
			`LOGGER.debug("Ignoring %s", self.host_header)`
			`return True, None`
			`# At this point we're certain there's a matching ApplicationGateway`
			`if len(matches) > 1:`
Choose upstream more cleverly 2019-04-10 16:49:33 +00:00			`# This should never happen`
initial implementation of reverse proxy, using django-revproxy from within a middleware add new config entry "primary_domain" which is used to set the cookie domain 2019-03-20 21:42:47 +00:00			`raise ValueError`
			`app_gw = matches.first()`
			`try:`
Choose upstream more cleverly 2019-04-10 16:49:33 +00:00			`# Check if ApplicationGateway is associated with application`
initial implementation of reverse proxy, using django-revproxy from within a middleware add new config entry "primary_domain" which is used to set the cookie domain 2019-03-20 21:42:47 +00:00			`getattr(app_gw, 'application')`
			`return False, app_gw`
			`except Application.DoesNotExist:`
			`LOGGER.debug("ApplicationGateway not associated with Application")`
			`return True, None`
			`return True, None`

			`def __call__(self, request):`
			`forward, self.app_gw = self.precheck(request)`
			`if forward:`
			`return self.get_response(request)`
			`self.request = request`
			`return self.dispatch(request)`

Choose upstream more cleverly 2019-04-10 16:49:33 +00:00			`def _get_upstream(self):`
			`"""Choose random upstream and save in session"""`
			`if SESSION_UPSTREAM_KEY not in self.request.session:`
			`self.request.session[SESSION_UPSTREAM_KEY] = {}`
			`if self.app_gw.pk not in self.request.session[SESSION_UPSTREAM_KEY]:`
			`upstream_index = SystemRandom().randrange(len(self.app_gw.upstream))`
			`self.request.session[SESSION_UPSTREAM_KEY][self.app_gw.pk] = upstream_index`
			`return self.app_gw.upstream[self.request.session[SESSION_UPSTREAM_KEY][self.app_gw.pk]]`

initial implementation of reverse proxy, using django-revproxy from within a middleware add new config entry "primary_domain" which is used to set the cookie domain 2019-03-20 21:42:47 +00:00			`def get_upstream(self):`
			`"""Get upstream as parsed url"""`
Choose upstream more cleverly 2019-04-10 16:49:33 +00:00			`upstream = self._get_upstream()`
initial implementation of reverse proxy, using django-revproxy from within a middleware add new config entry "primary_domain" which is used to set the cookie domain 2019-03-20 21:42:47 +00:00
always parse url instead of once 2019-03-22 09:55:04 +00:00			`self._parsed_url = urlparse(upstream)`
initial implementation of reverse proxy, using django-revproxy from within a middleware add new config entry "primary_domain" which is used to set the cookie domain 2019-03-20 21:42:47 +00:00
			`if self._parsed_url.scheme not in ('http', 'https'):`
			`raise InvalidUpstream(ERRORS_MESSAGES['upstream-no-scheme'] %`
			`upstream)`

			`return upstream`

implement actual Rewriting logic 2019-03-21 15:22:07 +00:00			`def _format_path_to_redirect(self, request):`
			`LOGGER.debug("Path before: %s", request.get_full_path())`
			`rewriter = Rewriter(self.app_gw, request)`
			`after = rewriter.build()`
			`LOGGER.debug("Path after: %s", after)`
			`return after`
initial implementation of reverse proxy, using django-revproxy from within a middleware add new config entry "primary_domain" which is used to set the cookie domain 2019-03-20 21:42:47 +00:00
			`def get_proxy_request_headers(self, request):`
			`"""Get normalized headers for the upstream`
			`Gets all headers from the original request and normalizes them.`
			Normalization occurs by removing the prefix ``HTTP_`` and
			replacing and ``_`` by ``-``. Example: ``HTTP_ACCEPT_ENCODING``
			becames ``Accept-Encoding``.
			`.. versionadded:: 0.9.1`
			`:param request: The original HTTPRequest instance`
			`:returns: Normalized headers for the upstream`
			`"""`
			`return normalize_request_headers(request)`

			`def get_request_headers(self):`
			`"""Return request headers that will be sent to upstream.`
			`The header REMOTE_USER is set to the current user`
			`if AuthenticationMiddleware is enabled and`
			`the view's add_remote_user property is True.`
			`.. versionadded:: 0.9.8`
			`"""`
			`request_headers = self.get_proxy_request_headers(self.request)`
Check for policies in app_gw 2019-03-21 13:53:47 +00:00			`request_headers[self.app_gw.authentication_header] = self.request.user.get_username()`
			`LOGGER.info("%s set", self.app_gw.authentication_header)`
initial implementation of reverse proxy, using django-revproxy from within a middleware add new config entry "primary_domain" which is used to set the cookie domain 2019-03-20 21:42:47 +00:00
			`return request_headers`

Check for policies in app_gw 2019-03-21 13:53:47 +00:00			`def check_permission(self):`
			`"""Check if user is authenticated and has permission to access app"""`
			`if not hasattr(self.request, 'user'):`
			`return False`
			`if not self.request.user.is_authenticated:`
			`return False`
			`policy_engine = PolicyEngine(self.app_gw.application.policies.all())`
			`policy_engine.for_user(self.request.user).with_request(self.request).build()`
			`passing, _messages = policy_engine.result`

			`return passing`
initial implementation of reverse proxy, using django-revproxy from within a middleware add new config entry "primary_domain" which is used to set the cookie domain 2019-03-20 21:42:47 +00:00
			`def get_encoded_query_params(self):`
			`"""Return encoded query params to be used in proxied request"""`
			`get_data = encode_items(self.request.GET.lists())`
			`return urlencode(get_data)`

implement actual Rewriting logic 2019-03-21 15:22:07 +00:00			`def _created_proxy_response(self, request, path):`
initial implementation of reverse proxy, using django-revproxy from within a middleware add new config entry "primary_domain" which is used to set the cookie domain 2019-03-20 21:42:47 +00:00			`request_payload = request.body`

			`LOGGER.debug("Request headers: %s", self._request_headers)`

			`request_url = self.get_upstream() + path`
			`LOGGER.debug("Request URL: %s", request_url)`

			`if request.GET:`
			`request_url += '?' + self.get_encoded_query_params()`
			`LOGGER.debug("Request URL: %s", request_url)`

			`http = self.http`
			`if not self.app_gw.upstream_ssl_verification:`
			`http = self.http_no_verify`

			`try:`
			`proxy_response = http.urlopen(request.method,`
			`request_url,`
			`redirect=False,`
			`retries=None,`
			`headers=self._request_headers,`
			`body=request_payload,`
			`decode_content=False,`
			`preload_content=False)`
			`LOGGER.debug("Proxy response header: %s",`
			`proxy_response.getheaders())`
			`except urllib3.exceptions.HTTPError as error:`
			`LOGGER.exception(error)`
			`raise`

			`return proxy_response`

			`def _replace_host_on_redirect_location(self, request, proxy_response):`
			`location = proxy_response.headers.get('Location')`
			`if location:`
			`if request.is_secure():`
			`scheme = 'https://'`
			`else:`
			`scheme = 'http://'`
			`request_host = scheme + self.host_header`

			`upstream_host_http = 'http://' + self._parsed_url.netloc`
			`upstream_host_https = 'https://' + self._parsed_url.netloc`

			`location = location.replace(upstream_host_http, request_host)`
			`location = location.replace(upstream_host_https, request_host)`
			`proxy_response.headers['Location'] = location`
			`LOGGER.debug("Proxy response LOCATION: %s",`
			`proxy_response.headers['Location'])`

			`def _set_content_type(self, request, proxy_response):`
			`content_type = proxy_response.headers.get('Content-Type')`
			`if not content_type:`
			`content_type = (mimetypes.guess_type(request.path)[0] or`
			`self.app_gw.default_content_type)`
			`proxy_response.headers['Content-Type'] = content_type`
			`LOGGER.debug("Proxy response CONTENT-TYPE: %s",`
			`proxy_response.headers['Content-Type'])`

			`def dispatch(self, request):`
			`"""Build proxied request and pass to upstream"""`
prepare 0.1.27 2019-03-22 13:51:09 +00:00			`if not self.check_permission():`
			`to_url = 'https://%s/?next=%s' % (CONFIG.get('domains')[0], request.get_full_path())`
			`return RedirectView.as_view(url=to_url)(request)`
Check for policies in app_gw 2019-03-21 13:53:47 +00:00
initial implementation of reverse proxy, using django-revproxy from within a middleware add new config entry "primary_domain" which is used to set the cookie domain 2019-03-20 21:42:47 +00:00			`self._request_headers = self.get_request_headers()`

implement actual Rewriting logic 2019-03-21 15:22:07 +00:00			`path = self._format_path_to_redirect(request)`
			`proxy_response = self._created_proxy_response(request, path)`
initial implementation of reverse proxy, using django-revproxy from within a middleware add new config entry "primary_domain" which is used to set the cookie domain 2019-03-20 21:42:47 +00:00
			`self._replace_host_on_redirect_location(request, proxy_response)`
			`self._set_content_type(request, proxy_response)`
			`response = get_django_response(proxy_response, strict_cookies=False)`

			`LOGGER.debug("RESPONSE RETURNED: %s", response)`
			`return response`